From 21cbef0d2cc80228d2a473ccfb6ad5b071f314c7 Mon Sep 17 00:00:00 2001
From: Bart Visscher <bartv@thisnet.nl>
Date: Fri, 27 Sep 2013 15:16:34 +0200
Subject: [PATCH] passesCSRFCheck added to OCP\IRequest

---
 lib/private/appframework/http/request.php | 38 +++++++++++++++++++++--
 lib/private/server.php                    | 17 +++++++++-
 lib/private/util.php                      | 24 +-------------
 lib/public/irequest.php                   |  5 +++
 4 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index f152956c8cf..3e1f4ff87ed 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -43,7 +43,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 		'cookies',
 		'urlParams',
 		'parameters',
-		'method'
+		'method',
+		'requesttoken',
 	);
 
 	/**
@@ -54,9 +55,9 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 * @param array 'files' the $_FILES array
 	 * @param array 'server' the $_SERVER array
 	 * @param array 'env' the $_ENV array
-	 * @param array 'session' the $_SESSION array
 	 * @param array 'cookies' the $_COOKIE array
 	 * @param string 'method' the request method (GET, POST etc)
+	 * @param string|false 'requesttoken' the requesttoken or false when not available
 	 * @see http://www.php.net/manual/en/reserved.variables.php
 	 */
 	public function __construct(array $vars=array()) {
@@ -354,4 +355,35 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 
 		return $this->content;
 	}
-}
+
+	/**
+	 * Checks if the CSRF check was correct
+	 * @return bool true if CSRF check passed
+	 * @see OC_Util::$callLifespan
+	 * @see OC_Util::callRegister()
+	 */
+	public function passesCSRFCheck() {
+		if($this->items['requesttoken'] === false) {
+			return false;
+		}
+
+		if (isset($this->items['get']['requesttoken'])) {
+			$token = $this->items['get']['requesttoken'];
+		} elseif (isset($this->items['post']['requesttoken'])) {
+			$token = $this->items['post']['requesttoken'];
+		} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
+			$token = $this->items['server']['HTTP_REQUESTTOKEN'];
+		} else {
+			//no token found.
+			return false;
+		}
+
+		// Check if the token is valid
+		if($token !== $this->items['requesttoken']) {
+			// Not valid
+			return false;
+		} else {
+			// Valid token
+			return true;
+		}
+	}}
diff --git a/lib/private/server.php b/lib/private/server.php
index 4000f546a3b..73a0cbd6ce6 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -22,6 +22,19 @@ class Server extends SimpleContainer implements IServerContainer {
 			return new ContactsManager();
 		});
 		$this->registerService('Request', function($c) {
+			if (isset($c['urlParams'])) {
+				$urlParams = $c['urlParams'];
+			} else {
+				$urlParams = array();
+			}
+
+			if (\OC::$session->exists('requesttoken')) {
+				$requesttoken = \OC::$session->get('requesttoken');
+			} else {
+				$requesttoken = false;
+			}
+
+
 			return new Request(
 				array(
 					'get' => $_GET,
@@ -33,7 +46,9 @@ class Server extends SimpleContainer implements IServerContainer {
 					'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
 						? $_SERVER['REQUEST_METHOD']
 						: null,
-					'urlParams' => $c['urlParams']
+					'params' => $params,
+					'urlParams' => $urlParams,
+					'requesttoken' => $requesttoken,
 				)
 			);
 		});
diff --git a/lib/private/util.php b/lib/private/util.php
index 04a020ff006..c5b4d2ae93e 100755
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -695,29 +695,7 @@ class OC_Util {
 	 * @see OC_Util::callRegister()
 	 */
 	public static function isCallRegistered() {
-		if(!\OC::$session->exists('requesttoken')) {
-			return false;
-		}
-
-		if(isset($_GET['requesttoken'])) {
-			$token = $_GET['requesttoken'];
-		} elseif(isset($_POST['requesttoken'])) {
-			$token = $_POST['requesttoken'];
-		} elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])) {
-			$token = $_SERVER['HTTP_REQUESTTOKEN'];
-		} else {
-			//no token found.
-			return false;
-		}
-
-		// Check if the token is valid
-		if($token !== \OC::$session->get('requesttoken')) {
-			// Not valid
-			return false;
-		} else {
-			// Valid token
-			return true;
-		}
+		return \OC::$server->getRequest()->passesCSRFCheck();
 	}
 
 	/**
diff --git a/lib/public/irequest.php b/lib/public/irequest.php
index 054f15d9eb2..45b27868d70 100644
--- a/lib/public/irequest.php
+++ b/lib/public/irequest.php
@@ -107,4 +107,9 @@ interface IRequest {
 	function getCookie($key);
 
 
+	/**
+	 * Checks if the CSRF check was correct
+	 * @return bool true if CSRF check passed
+	 */
+	public function passesCSRFCheck();
 }
-- 
2.39.5